8

I've read some informations on AES-256 crypting methods. But I'm still confused on what's the importance of the key length?

Context: I want to crypt a 7Zip archive with the AES-256 option. And I'm wondering how long should my password be. I don't want to consider the ways of generating password here, let's assume I've the capacity to generate a fully random password with characters, numbers and symbols. I don't want to talk about time to crack the encryption, since I've got no example to propose on this.

Question: If I'm using 256-bit AES, does that mean I should use at least a 256-bit key, thus, 32 characters? If that's wrong, why is it wrong?

I've read some information regarding AES here, How secure is AES against Brute Force Attacks. And it seems to say that we should use a 256-bit key.

Alex Probert
  • 493
  • 1
  • 3
  • 17
Anonymous12223
  • 181
  • 1
  • 1
  • 5
  • are you sure that password = key length? – schroeder Jan 05 '18 at 09:32
  • 1
    I think your answer is here: https://crypto.stackexchange.com/questions/34884/length-of-encryption-password-aes-256-cbc – schroeder Jan 05 '18 at 09:33
  • 2
    Long story short: The AES-256 algorithm *requires* a 256-bit key as input. It is not defined for keys of other lengths. That said, 7-zip does not feed your password directly into AES-256, it uses a key derivation function that turns any length passphrase into a suitable 256-bit input. You *should* use a passphrase with at least 128 bits of entropy (offhand, that's roughly a 20-character passphrase of random upper/lower/digits/symbols). Less is dropping below general limits of safety, and more than 256 bits won't accomplish anything. – Stephen Touset Jan 05 '18 at 09:59
  • @schroeder : Well, that's is precisely the mistake I made. Thanks for the link – Anonymous12223 Jan 05 '18 at 10:43
  • @StephenTouset : Thank you for the example in number of characters. If you have a source, I'll take it though – Anonymous12223 Jan 05 '18 at 10:44
  • A source for... what, exactly? The entire reason AES-256 is AES-*256* is that it accepts 256-bit keys. 128 bits of entropy is the widespread, generally recommended level of security for cryptographic applications (excepting use-cases that involve generating absurd numbers of keys). And "20 characters" is just the simple equivalence that `(26 [lower] + 26 [upper] + 10 [digits] + 30 [symbols]) ^ 20` is ballpark equal to `2^128`. – Stephen Touset Jan 05 '18 at 22:11

2 Answers2

7

AES-256 uses a key that is exactly 256 bits long.

Because the encryption requires a key of an exact size, 7Zip doesn't use your password directly as the encryption key. Instead, it runs the password through a key derivation function to produce a suitable encryption key.

Since your password isn't used directly as the encryption key, its length doesn't really matter. Rather, what matters is the password's "entropy", a measure of how hard it would be for an attacker who knew how you generated the password to guess what your password was. If you used 32 random bytes, you would have a password with 256 bits of entropy, as would a password of 197 characters of grammatically-correct English gibberish. Simpler passwords have lower entropy, and are easier to guess.

The key size of 256 bits puts an upper bound on the useful complexity of the password. If, for example, you used 48 random bytes (or 300 characters of gibberish), an attacker could ignore your password and instead search for a shorter password, probably 32 bytes long, that produces the same key.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • So, does that mean the length of a password is of little importance, and what matters most is the entropy of it? – Anonymous12223 Jan 05 '18 at 10:42
  • Pretty much, yes, with the caveat that if your password is too short, you can't fit much entropy in. – Mark Jan 05 '18 at 10:46
4

The short answer: you can use any password you like, 7zip does not use your password as a raw key.

The long answer: The choice of AES key size is up to you, you'll need to analyze cost vs risk. 256-bit AES is generally considered safe pretty much forever against brute-force attacks (but this is not the kind of attack that will break AES).

However, you absolutely should not be using a password as the raw key. Instead, you should use a key derivation function to add some entropy and generate a reasonable key.

This is exactly what 7zip does (how well it does it and what algorithm it uses I do not know). This ultimately means that the password you use is used to generate an AES key of the right length.

Marc
  • 4,091
  • 1
  • 17
  • 23
  • That's why I wanted to exclude the "password complexity" aspect. Let's say I have a "reasonable key". You answer is interesting. My question is a bit off. Do you mean that mean there's no required length for a good "resonable key" that would generated an AES key of the right length? – Anonymous12223 Jan 05 '18 at 10:41
  • An AES key has an exact length of 128, 192, or 256 bits (16/24/32 bytes) based on the variant you want. What I'm saying is that the password for 7zip is not the key itself. Instead, it is used as the input to a KDF to generate an AES key of the proper length. The reason to have a long and complex password is to prevent various attacks on it (brute force, dictionary). – Marc Jan 05 '18 at 10:47
  • 1
    There's just one thing I don't understand. Why should I care about what 7zip does, since an attack would be to guess my password? Isn't then the password more important than what 7zip does? – Anonymous12223 Jan 05 '18 at 18:44
  • The strength of your password is indeed important. What we are saying is that your password is not the AES key, so the length of your password has nothing to do with the AES key length. – Marc Jan 05 '18 at 18:47
  • I believe OP intended to ask about the optimum password length, and this has everything to do with the AES key length. If a password has 128 bits of entropy, then AES 256 is no better than AES 128 (or at least not significantly better). The password that takes full advantage of the encryption will be a password with the same number of bits of entropy as the length of the encryption key. For AES 256, that would be 32 random bytes (or about 35 random upper/lowercase letters, numerals, and symbols from the keyboard). – Timothy Smith Jun 04 '20 at 18:12